1 /*
2 * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * ECDSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15
16 #include <string.h> /* memcpy */
17 #include <openssl/crypto.h>
18 #include <openssl/core_dispatch.h>
19 #include <openssl/core_names.h>
20 #include <openssl/dsa.h>
21 #include <openssl/params.h>
22 #include <openssl/evp.h>
23 #include <openssl/err.h>
24 #include <openssl/proverr.h>
25 #include "internal/nelem.h"
26 #include "internal/sizes.h"
27 #include "internal/cryptlib.h"
28 #include "internal/deterministic_nonce.h"
29 #include "prov/providercommon.h"
30 #include "prov/implementations.h"
31 #include "prov/provider_ctx.h"
32 #include "prov/securitycheck.h"
33 #include "prov/der_ec.h"
34 #include "crypto/ec.h"
35
36 static OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
37 static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
38 static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
39 static OSSL_FUNC_signature_sign_fn ecdsa_sign;
40 static OSSL_FUNC_signature_sign_message_update_fn ecdsa_signverify_message_update;
41 static OSSL_FUNC_signature_sign_message_final_fn ecdsa_sign_message_final;
42 static OSSL_FUNC_signature_verify_fn ecdsa_verify;
43 static OSSL_FUNC_signature_verify_message_update_fn ecdsa_signverify_message_update;
44 static OSSL_FUNC_signature_verify_message_final_fn ecdsa_verify_message_final;
45 static OSSL_FUNC_signature_digest_sign_init_fn ecdsa_digest_sign_init;
46 static OSSL_FUNC_signature_digest_sign_update_fn ecdsa_digest_signverify_update;
47 static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
48 static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
49 static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
50 static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
51 static OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
52 static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx;
53 static OSSL_FUNC_signature_query_key_types_fn ecdsa_sigalg_query_key_types;
54 static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
55 static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
56 static OSSL_FUNC_signature_set_ctx_params_fn ecdsa_set_ctx_params;
57 static OSSL_FUNC_signature_settable_ctx_params_fn ecdsa_settable_ctx_params;
58 static OSSL_FUNC_signature_get_ctx_md_params_fn ecdsa_get_ctx_md_params;
59 static OSSL_FUNC_signature_gettable_ctx_md_params_fn ecdsa_gettable_ctx_md_params;
60 static OSSL_FUNC_signature_set_ctx_md_params_fn ecdsa_set_ctx_md_params;
61 static OSSL_FUNC_signature_settable_ctx_md_params_fn ecdsa_settable_ctx_md_params;
62 static OSSL_FUNC_signature_set_ctx_params_fn ecdsa_sigalg_set_ctx_params;
63 static OSSL_FUNC_signature_settable_ctx_params_fn ecdsa_sigalg_settable_ctx_params;
64
65 /*
66 * What's passed as an actual key is defined by the KEYMGMT interface.
67 * We happen to know that our KEYMGMT simply passes DSA structures, so
68 * we use that here too.
69 */
70
71 typedef struct {
72 OSSL_LIB_CTX *libctx;
73 char *propq;
74 EC_KEY *ec;
75 /* |operation| reuses EVP's operation bitfield */
76 int operation;
77
78 /*
79 * Flag to determine if a full sigalg is run (1) or if a composable
80 * signature algorithm is run (0).
81 *
82 * When a full sigalg is run (1), this currently affects the following
83 * other flags, which are to remain untouched after their initialization:
84 *
85 * - flag_allow_md (initialized to 0)
86 */
87 unsigned int flag_sigalg : 1;
88 /*
89 * Flag to determine if the hash function can be changed (1) or not (0)
90 * Because it's dangerous to change during a DigestSign or DigestVerify
91 * operation, this flag is cleared by their Init function, and set again
92 * by their Final function.
93 */
94 unsigned int flag_allow_md : 1;
95
96 /* The Algorithm Identifier of the combined signature algorithm */
97 unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
98 size_t aid_len;
99
100 /* main digest */
101 char mdname[OSSL_MAX_NAME_SIZE];
102 EVP_MD *md;
103 EVP_MD_CTX *mdctx;
104 size_t mdsize;
105
106 /* Signature, for verification */
107 unsigned char *sig;
108 size_t siglen;
109
110 /*
111 * Internally used to cache the results of calling the EC group
112 * sign_setup() methods which are then passed to the sign operation.
113 * This is used by CAVS failure tests to terminate a loop if the signature
114 * is not valid.
115 * This could of also been done with a simple flag.
116 */
117 BIGNUM *kinv;
118 BIGNUM *r;
119 #if !defined(OPENSSL_NO_ACVP_TESTS)
120 /*
121 * This indicates that KAT (CAVS) test is running. Externally an app will
122 * override the random callback such that the generated private key and k
123 * are known.
124 * Normal operation will loop to choose a new k if the signature is not
125 * valid - but for this mode of operation it forces a failure instead.
126 */
127 unsigned int kattest;
128 #endif
129 #ifdef FIPS_MODULE
130 /*
131 * FIPS 140-3 IG 2.4.B mandates that verification based on a digest of a
132 * message is not permitted. However, signing based on a digest is still
133 * permitted.
134 */
135 int verify_message;
136 #endif
137 /* If this is set then the generated k is not random */
138 unsigned int nonce_type;
139 OSSL_FIPS_IND_DECLARE
140 } PROV_ECDSA_CTX;
141
ecdsa_newctx(void * provctx,const char * propq)142 static void *ecdsa_newctx(void *provctx, const char *propq)
143 {
144 PROV_ECDSA_CTX *ctx;
145
146 if (!ossl_prov_is_running())
147 return NULL;
148
149 ctx = OPENSSL_zalloc(sizeof(PROV_ECDSA_CTX));
150 if (ctx == NULL)
151 return NULL;
152
153 OSSL_FIPS_IND_INIT(ctx)
154 ctx->flag_allow_md = 1;
155 #ifdef FIPS_MODULE
156 ctx->verify_message = 1;
157 #endif
158 ctx->libctx = PROV_LIBCTX_OF(provctx);
159 if (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL) {
160 OPENSSL_free(ctx);
161 ctx = NULL;
162 }
163 return ctx;
164 }
165
ecdsa_setup_md(PROV_ECDSA_CTX * ctx,const char * mdname,const char * mdprops,const char * desc)166 static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
167 const char *mdname, const char *mdprops,
168 const char *desc)
169 {
170 EVP_MD *md = NULL;
171 size_t mdname_len;
172 int md_nid, md_size;
173 WPACKET pkt;
174 unsigned char *aid = NULL;
175
176 if (mdname == NULL)
177 return 1;
178
179 mdname_len = strlen(mdname);
180 if (mdname_len >= sizeof(ctx->mdname)) {
181 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
182 "%s exceeds name buffer length", mdname);
183 return 0;
184 }
185 if (mdprops == NULL)
186 mdprops = ctx->propq;
187 md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
188 if (md == NULL) {
189 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
190 "%s could not be fetched", mdname);
191 return 0;
192 }
193 md_size = EVP_MD_get_size(md);
194 if (md_size <= 0) {
195 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
196 "%s has invalid md size %d", mdname, md_size);
197 goto err;
198 }
199 md_nid = ossl_digest_get_approved_nid(md);
200 #ifdef FIPS_MODULE
201 if (md_nid == NID_undef) {
202 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
203 "digest=%s", mdname);
204 goto err;
205 }
206 #endif
207 /* XOF digests don't work */
208 if (EVP_MD_xof(md)) {
209 ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
210 goto err;
211 }
212
213 #ifdef FIPS_MODULE
214 {
215 int sha1_allowed
216 = ((ctx->operation
217 & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
218
219 if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
220 OSSL_FIPS_IND_SETTABLE1,
221 ctx->libctx,
222 md_nid, sha1_allowed, desc,
223 ossl_fips_config_signature_digest_check))
224 goto err;
225 }
226 #endif
227
228 if (!ctx->flag_allow_md) {
229 if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) {
230 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
231 "digest %s != %s", mdname, ctx->mdname);
232 goto err;
233 }
234 EVP_MD_free(md);
235 return 1;
236 }
237
238 EVP_MD_CTX_free(ctx->mdctx);
239 EVP_MD_free(ctx->md);
240
241 ctx->aid_len = 0;
242 #ifndef FIPS_MODULE
243 if (md_nid != NID_undef) {
244 #else
245 {
246 #endif
247 if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf))
248 && ossl_DER_w_algorithmIdentifier_ECDSA_with_MD(&pkt, -1, ctx->ec,
249 md_nid)
250 && WPACKET_finish(&pkt)) {
251 WPACKET_get_total_written(&pkt, &ctx->aid_len);
252 aid = WPACKET_get_curr(&pkt);
253 }
254 WPACKET_cleanup(&pkt);
255 if (aid != NULL && ctx->aid_len != 0)
256 memmove(ctx->aid_buf, aid, ctx->aid_len);
257 }
258
259 ctx->mdctx = NULL;
260 ctx->md = md;
261 ctx->mdsize = (size_t)md_size;
262 OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname));
263
264 return 1;
265 err:
266 EVP_MD_free(md);
267 return 0;
268 }
269
270 static int
271 ecdsa_signverify_init(PROV_ECDSA_CTX *ctx, void *ec,
272 OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,
273 const OSSL_PARAM params[], int operation,
274 const char *desc)
275 {
276 if (!ossl_prov_is_running()
277 || ctx == NULL)
278 return 0;
279
280 if (ec == NULL && ctx->ec == NULL) {
281 ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
282 return 0;
283 }
284
285 if (ec != NULL) {
286 if (!EC_KEY_up_ref(ec))
287 return 0;
288 EC_KEY_free(ctx->ec);
289 ctx->ec = ec;
290 }
291
292 ctx->operation = operation;
293
294 OSSL_FIPS_IND_SET_APPROVED(ctx)
295 if (!set_ctx_params(ctx, params))
296 return 0;
297 #ifdef FIPS_MODULE
298 if (!ossl_fips_ind_ec_key_check(OSSL_FIPS_IND_GET(ctx),
299 OSSL_FIPS_IND_SETTABLE0, ctx->libctx,
300 EC_KEY_get0_group(ctx->ec), desc,
301 (operation & (EVP_PKEY_OP_SIGN
302 | EVP_PKEY_OP_SIGNMSG)) != 0))
303 return 0;
304 #endif
305 return 1;
306 }
307
308 static int ecdsa_sign_init(void *vctx, void *ec, const OSSL_PARAM params[])
309 {
310 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
311
312 #ifdef FIPS_MODULE
313 ctx->verify_message = 1;
314 #endif
315 return ecdsa_signverify_init(ctx, ec, ecdsa_set_ctx_params, params,
316 EVP_PKEY_OP_SIGN, "ECDSA Sign Init");
317 }
318
319 /*
320 * Sign tbs without digesting it first. This is suitable for "primitive"
321 * signing and signing the digest of a message.
322 */
323 static int ecdsa_sign_directly(void *vctx,
324 unsigned char *sig, size_t *siglen, size_t sigsize,
325 const unsigned char *tbs, size_t tbslen)
326 {
327 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
328 int ret;
329 unsigned int sltmp;
330 size_t ecsize = ECDSA_size(ctx->ec);
331
332 if (!ossl_prov_is_running())
333 return 0;
334
335 if (sig == NULL) {
336 *siglen = ecsize;
337 return 1;
338 }
339
340 #if !defined(OPENSSL_NO_ACVP_TESTS)
341 if (ctx->kattest && !ECDSA_sign_setup(ctx->ec, NULL, &ctx->kinv, &ctx->r))
342 return 0;
343 #endif
344
345 if (sigsize < (size_t)ecsize)
346 return 0;
347
348 if (ctx->mdsize != 0 && tbslen != ctx->mdsize)
349 return 0;
350
351 if (ctx->nonce_type != 0) {
352 const char *mdname = NULL;
353
354 if (ctx->mdname[0] != '\0')
355 mdname = ctx->mdname;
356 ret = ossl_ecdsa_deterministic_sign(tbs, tbslen, sig, &sltmp,
357 ctx->ec, ctx->nonce_type,
358 mdname,
359 ctx->libctx, ctx->propq);
360 } else {
361 ret = ECDSA_sign_ex(0, tbs, tbslen, sig, &sltmp, ctx->kinv, ctx->r,
362 ctx->ec);
363 }
364 if (ret <= 0)
365 return 0;
366
367 *siglen = sltmp;
368 return 1;
369 }
370
371 static int ecdsa_signverify_message_update(void *vctx,
372 const unsigned char *data,
373 size_t datalen)
374 {
375 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
376
377 if (ctx == NULL)
378 return 0;
379
380 return EVP_DigestUpdate(ctx->mdctx, data, datalen);
381 }
382
383 static int ecdsa_sign_message_final(void *vctx, unsigned char *sig,
384 size_t *siglen, size_t sigsize)
385 {
386 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
387 unsigned char digest[EVP_MAX_MD_SIZE];
388 unsigned int dlen = 0;
389
390 if (!ossl_prov_is_running() || ctx == NULL)
391 return 0;
392 if (ctx->mdctx == NULL)
393 return 0;
394 /*
395 * If sig is NULL then we're just finding out the sig size. Other fields
396 * are ignored. Defer to ecdsa_sign.
397 */
398 if (sig != NULL
399 && !EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen))
400 return 0;
401 return ecdsa_sign_directly(vctx, sig, siglen, sigsize, digest, dlen);
402 }
403
404 /*
405 * If signing a message, digest tbs and sign the result.
406 * Otherwise, sign tbs directly.
407 */
408 static int ecdsa_sign(void *vctx, unsigned char *sig, size_t *siglen,
409 size_t sigsize, const unsigned char *tbs, size_t tbslen)
410 {
411 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
412
413 if (ctx->operation == EVP_PKEY_OP_SIGNMSG) {
414 /*
415 * If |sig| is NULL, the caller is only looking for the sig length.
416 * DO NOT update the input in this case.
417 */
418 if (sig == NULL)
419 return ecdsa_sign_message_final(ctx, sig, siglen, sigsize);
420
421 if (ecdsa_signverify_message_update(ctx, tbs, tbslen) <= 0)
422 return 0;
423 return ecdsa_sign_message_final(ctx, sig, siglen, sigsize);
424 }
425 return ecdsa_sign_directly(ctx, sig, siglen, sigsize, tbs, tbslen);
426 }
427
428 static int ecdsa_verify_init(void *vctx, void *ec, const OSSL_PARAM params[])
429 {
430 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
431
432 #ifdef FIPS_MODULE
433 ctx->verify_message = 0;
434 #endif
435 return ecdsa_signverify_init(ctx, ec, ecdsa_set_ctx_params, params,
436 EVP_PKEY_OP_VERIFY, "ECDSA Verify Init");
437 }
438
439 static int ecdsa_verify_directly(void *vctx,
440 const unsigned char *sig, size_t siglen,
441 const unsigned char *tbs, size_t tbslen)
442 {
443 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
444
445 if (!ossl_prov_is_running() || (ctx->mdsize != 0 && tbslen != ctx->mdsize))
446 return 0;
447
448 return ECDSA_verify(0, tbs, tbslen, sig, siglen, ctx->ec);
449 }
450
451 static int ecdsa_verify_set_sig(void *vctx,
452 const unsigned char *sig, size_t siglen)
453 {
454 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
455 OSSL_PARAM params[2];
456
457 params[0] =
458 OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE,
459 (unsigned char *)sig, siglen);
460 params[1] = OSSL_PARAM_construct_end();
461 return ecdsa_sigalg_set_ctx_params(ctx, params);
462 }
463
464 static int ecdsa_verify_message_final(void *vctx)
465 {
466 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
467 unsigned char digest[EVP_MAX_MD_SIZE];
468 unsigned int dlen = 0;
469
470 if (!ossl_prov_is_running() || ctx == NULL || ctx->mdctx == NULL)
471 return 0;
472
473 /*
474 * The digests used here are all known (see ecdsa_get_md_nid()), so they
475 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
476 */
477 if (!EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen))
478 return 0;
479
480 return ecdsa_verify_directly(vctx, ctx->sig, ctx->siglen,
481 digest, dlen);
482 }
483
484 /*
485 * If verifying a message, digest tbs and verify the result.
486 * Otherwise, verify tbs directly.
487 */
488 static int ecdsa_verify(void *vctx,
489 const unsigned char *sig, size_t siglen,
490 const unsigned char *tbs, size_t tbslen)
491 {
492 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
493
494 if (ctx->operation == EVP_PKEY_OP_VERIFYMSG) {
495 if (ecdsa_verify_set_sig(ctx, sig, siglen) <= 0)
496 return 0;
497 if (ecdsa_signverify_message_update(ctx, tbs, tbslen) <= 0)
498 return 0;
499 return ecdsa_verify_message_final(ctx);
500 }
501 return ecdsa_verify_directly(ctx, sig, siglen, tbs, tbslen);
502 }
503
504 /* DigestSign/DigestVerify wrappers */
505
506 static int ecdsa_digest_signverify_init(void *vctx, const char *mdname,
507 void *ec, const OSSL_PARAM params[],
508 int operation, const char *desc)
509 {
510 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
511
512 if (!ossl_prov_is_running())
513 return 0;
514
515 #ifdef FIPS_MODULE
516 ctx->verify_message = 1;
517 #endif
518 if (!ecdsa_signverify_init(vctx, ec, ecdsa_set_ctx_params, params,
519 operation, desc))
520 return 0;
521
522 if (mdname != NULL
523 /* was ecdsa_setup_md already called in ecdsa_signverify_init()? */
524 && (mdname[0] == '\0' || OPENSSL_strcasecmp(ctx->mdname, mdname) != 0)
525 && !ecdsa_setup_md(ctx, mdname, NULL, desc))
526 return 0;
527
528 ctx->flag_allow_md = 0;
529
530 if (ctx->mdctx == NULL) {
531 ctx->mdctx = EVP_MD_CTX_new();
532 if (ctx->mdctx == NULL)
533 goto error;
534 }
535
536 if (!EVP_DigestInit_ex2(ctx->mdctx, ctx->md, params))
537 goto error;
538 return 1;
539 error:
540 EVP_MD_CTX_free(ctx->mdctx);
541 ctx->mdctx = NULL;
542 return 0;
543 }
544
545 static int ecdsa_digest_sign_init(void *vctx, const char *mdname, void *ec,
546 const OSSL_PARAM params[])
547 {
548 return ecdsa_digest_signverify_init(vctx, mdname, ec, params,
549 EVP_PKEY_OP_SIGNMSG,
550 "ECDSA Digest Sign Init");
551 }
552
553 static int ecdsa_digest_signverify_update(void *vctx, const unsigned char *data,
554 size_t datalen)
555 {
556 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
557
558 if (ctx == NULL || ctx->mdctx == NULL)
559 return 0;
560 /* Sigalg implementations shouldn't do digest_sign */
561 if (ctx->flag_sigalg)
562 return 0;
563
564 return ecdsa_signverify_message_update(vctx, data, datalen);
565 }
566
567 int ecdsa_digest_sign_final(void *vctx, unsigned char *sig, size_t *siglen,
568 size_t sigsize)
569 {
570 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
571 int ok = 0;
572
573 if (ctx == NULL)
574 return 0;
575 /* Sigalg implementations shouldn't do digest_sign */
576 if (ctx->flag_sigalg)
577 return 0;
578
579 ok = ecdsa_sign_message_final(ctx, sig, siglen, sigsize);
580
581 ctx->flag_allow_md = 1;
582
583 return ok;
584 }
585
586 static int ecdsa_digest_verify_init(void *vctx, const char *mdname, void *ec,
587 const OSSL_PARAM params[])
588 {
589 return ecdsa_digest_signverify_init(vctx, mdname, ec, params,
590 EVP_PKEY_OP_VERIFYMSG,
591 "ECDSA Digest Verify Init");
592 }
593
594 int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
595 size_t siglen)
596 {
597 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
598 int ok = 0;
599
600 if (!ossl_prov_is_running() || ctx == NULL || ctx->mdctx == NULL)
601 return 0;
602
603 /* Sigalg implementations shouldn't do digest_verify */
604 if (ctx->flag_sigalg)
605 return 0;
606
607 if (ecdsa_verify_set_sig(ctx, sig, siglen))
608 ok = ecdsa_verify_message_final(ctx);
609
610 ctx->flag_allow_md = 1;
611
612 return ok;
613 }
614
615 static void ecdsa_freectx(void *vctx)
616 {
617 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
618
619 EVP_MD_CTX_free(ctx->mdctx);
620 EVP_MD_free(ctx->md);
621 OPENSSL_free(ctx->propq);
622 OPENSSL_free(ctx->sig);
623 EC_KEY_free(ctx->ec);
624 BN_clear_free(ctx->kinv);
625 BN_clear_free(ctx->r);
626 OPENSSL_free(ctx);
627 }
628
629 static void *ecdsa_dupctx(void *vctx)
630 {
631 PROV_ECDSA_CTX *srcctx = (PROV_ECDSA_CTX *)vctx;
632 PROV_ECDSA_CTX *dstctx;
633
634 if (!ossl_prov_is_running())
635 return NULL;
636
637 dstctx = OPENSSL_zalloc(sizeof(*srcctx));
638 if (dstctx == NULL)
639 return NULL;
640
641 *dstctx = *srcctx;
642 dstctx->ec = NULL;
643 dstctx->propq = NULL;
644
645 if (srcctx->ec != NULL && !EC_KEY_up_ref(srcctx->ec))
646 goto err;
647 /* Test KATS should not need to be supported */
648 if (srcctx->kinv != NULL || srcctx->r != NULL)
649 goto err;
650 dstctx->ec = srcctx->ec;
651
652 if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))
653 goto err;
654 dstctx->md = srcctx->md;
655
656 if (srcctx->mdctx != NULL) {
657 dstctx->mdctx = EVP_MD_CTX_new();
658 if (dstctx->mdctx == NULL
659 || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))
660 goto err;
661 }
662
663 if (srcctx->propq != NULL) {
664 dstctx->propq = OPENSSL_strdup(srcctx->propq);
665 if (dstctx->propq == NULL)
666 goto err;
667 }
668
669 return dstctx;
670 err:
671 ecdsa_freectx(dstctx);
672 return NULL;
673 }
674
675 static int ecdsa_get_ctx_params(void *vctx, OSSL_PARAM *params)
676 {
677 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
678 OSSL_PARAM *p;
679
680 if (ctx == NULL)
681 return 0;
682
683 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
684 if (p != NULL && !OSSL_PARAM_set_octet_string(p,
685 ctx->aid_len == 0 ? NULL : ctx->aid_buf,
686 ctx->aid_len))
687 return 0;
688
689 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
690 if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->mdsize))
691 return 0;
692
693 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);
694 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, ctx->md == NULL
695 ? ctx->mdname
696 : EVP_MD_get0_name(ctx->md)))
697 return 0;
698
699 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_NONCE_TYPE);
700 if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->nonce_type))
701 return 0;
702
703 #ifdef FIPS_MODULE
704 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE);
705 if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->verify_message))
706 return 0;
707 #endif
708
709 if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params))
710 return 0;
711 return 1;
712 }
713
714 static const OSSL_PARAM known_gettable_ctx_params[] = {
715 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
716 OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
717 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
718 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_NONCE_TYPE, NULL),
719 #ifdef FIPS_MODULE
720 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE, NULL),
721 #endif
722 OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
723 OSSL_PARAM_END
724 };
725
726 static const OSSL_PARAM *ecdsa_gettable_ctx_params(ossl_unused void *vctx,
727 ossl_unused void *provctx)
728 {
729 return known_gettable_ctx_params;
730 }
731
732 /**
733 * @brief Set up common params for ecdsa_set_ctx_params and
734 * ecdsa_sigalg_set_ctx_params. The caller is responsible for checking |vctx| is
735 * not NULL and |params| is not empty.
736 */
737 static int ecdsa_common_set_ctx_params(void *vctx, const OSSL_PARAM params[])
738 {
739 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
740 const OSSL_PARAM *p;
741
742 if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params,
743 OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK))
744 return 0;
745 if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE1, params,
746 OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK))
747 return 0;
748
749 #if !defined(OPENSSL_NO_ACVP_TESTS)
750 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_KAT);
751 if (p != NULL && !OSSL_PARAM_get_uint(p, &ctx->kattest))
752 return 0;
753 #endif
754
755 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_NONCE_TYPE);
756 if (p != NULL
757 && !OSSL_PARAM_get_uint(p, &ctx->nonce_type))
758 return 0;
759 return 1;
760 }
761
762 #define ECDSA_COMMON_SETTABLE_CTX_PARAMS \
763 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_KAT, NULL), \
764 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_NONCE_TYPE, NULL), \
765 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) \
766 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) \
767 OSSL_PARAM_END
768
769 static int ecdsa_set_ctx_params(void *vctx, const OSSL_PARAM params[])
770 {
771 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
772 const OSSL_PARAM *p;
773 size_t mdsize = 0;
774 int ret;
775
776 if (ctx == NULL)
777 return 0;
778 if (ossl_param_is_empty(params))
779 return 1;
780
781 if ((ret = ecdsa_common_set_ctx_params(ctx, params)) <= 0)
782 return ret;
783
784 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
785 if (p != NULL) {
786 char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = mdname;
787 char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = mdprops;
788 const OSSL_PARAM *propsp =
789 OSSL_PARAM_locate_const(params,
790 OSSL_SIGNATURE_PARAM_PROPERTIES);
791
792 if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname)))
793 return 0;
794 if (propsp != NULL
795 && !OSSL_PARAM_get_utf8_string(propsp, &pmdprops, sizeof(mdprops)))
796 return 0;
797 if (!ecdsa_setup_md(ctx, mdname, mdprops, "ECDSA Set Ctx"))
798 return 0;
799 }
800
801 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
802 if (p != NULL) {
803 if (!OSSL_PARAM_get_size_t(p, &mdsize)
804 || (!ctx->flag_allow_md && mdsize != ctx->mdsize))
805 return 0;
806 ctx->mdsize = mdsize;
807 }
808 return 1;
809 }
810
811 static const OSSL_PARAM settable_ctx_params[] = {
812 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
813 OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
814 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0),
815 ECDSA_COMMON_SETTABLE_CTX_PARAMS
816 };
817
818 static const OSSL_PARAM *ecdsa_settable_ctx_params(void *vctx,
819 ossl_unused void *provctx)
820 {
821 return settable_ctx_params;
822 }
823
824 static int ecdsa_get_ctx_md_params(void *vctx, OSSL_PARAM *params)
825 {
826 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
827
828 if (ctx->mdctx == NULL)
829 return 0;
830
831 return EVP_MD_CTX_get_params(ctx->mdctx, params);
832 }
833
834 static const OSSL_PARAM *ecdsa_gettable_ctx_md_params(void *vctx)
835 {
836 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
837
838 if (ctx->md == NULL)
839 return 0;
840
841 return EVP_MD_gettable_ctx_params(ctx->md);
842 }
843
844 static int ecdsa_set_ctx_md_params(void *vctx, const OSSL_PARAM params[])
845 {
846 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
847
848 if (ctx->mdctx == NULL)
849 return 0;
850
851 return EVP_MD_CTX_set_params(ctx->mdctx, params);
852 }
853
854 static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
855 {
856 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
857
858 if (ctx->md == NULL)
859 return 0;
860
861 return EVP_MD_settable_ctx_params(ctx->md);
862 }
863
864 const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = {
865 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
866 { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
867 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))ecdsa_sign },
868 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))ecdsa_verify_init },
869 { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))ecdsa_verify },
870 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
871 (void (*)(void))ecdsa_digest_sign_init },
872 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
873 (void (*)(void))ecdsa_digest_signverify_update },
874 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
875 (void (*)(void))ecdsa_digest_sign_final },
876 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
877 (void (*)(void))ecdsa_digest_verify_init },
878 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
879 (void (*)(void))ecdsa_digest_signverify_update },
880 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
881 (void (*)(void))ecdsa_digest_verify_final },
882 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))ecdsa_freectx },
883 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))ecdsa_dupctx },
884 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))ecdsa_get_ctx_params },
885 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
886 (void (*)(void))ecdsa_gettable_ctx_params },
887 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))ecdsa_set_ctx_params },
888 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,
889 (void (*)(void))ecdsa_settable_ctx_params },
890 { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS,
891 (void (*)(void))ecdsa_get_ctx_md_params },
892 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS,
893 (void (*)(void))ecdsa_gettable_ctx_md_params },
894 { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS,
895 (void (*)(void))ecdsa_set_ctx_md_params },
896 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS,
897 (void (*)(void))ecdsa_settable_ctx_md_params },
898 OSSL_DISPATCH_END
899 };
900
901 /* ------------------------------------------------------------------ */
902
903 /*
904 * So called sigalgs (composite ECDSA+hash) implemented below. They
905 * are pretty much hard coded.
906 */
907
908 static OSSL_FUNC_signature_query_key_types_fn ecdsa_sigalg_query_key_types;
909 static OSSL_FUNC_signature_settable_ctx_params_fn ecdsa_sigalg_settable_ctx_params;
910 static OSSL_FUNC_signature_set_ctx_params_fn ecdsa_sigalg_set_ctx_params;
911
912 /*
913 * ecdsa_sigalg_signverify_init() is almost like ecdsa_digest_signverify_init(),
914 * just doesn't allow fetching an MD from whatever the user chooses.
915 */
916 static int ecdsa_sigalg_signverify_init(void *vctx, void *vec,
917 OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,
918 const OSSL_PARAM params[],
919 const char *mdname,
920 int operation, const char *desc)
921 {
922 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
923
924 if (!ossl_prov_is_running())
925 return 0;
926
927 if (!ecdsa_signverify_init(vctx, vec, set_ctx_params, params, operation,
928 desc))
929 return 0;
930
931 if (!ecdsa_setup_md(ctx, mdname, NULL, desc))
932 return 0;
933
934 ctx->flag_sigalg = 1;
935 ctx->flag_allow_md = 0;
936
937 if (ctx->mdctx == NULL) {
938 ctx->mdctx = EVP_MD_CTX_new();
939 if (ctx->mdctx == NULL)
940 goto error;
941 }
942
943 if (!EVP_DigestInit_ex2(ctx->mdctx, ctx->md, params))
944 goto error;
945
946 return 1;
947
948 error:
949 EVP_MD_CTX_free(ctx->mdctx);
950 ctx->mdctx = NULL;
951 return 0;
952 }
953
954 static const char **ecdsa_sigalg_query_key_types(void)
955 {
956 static const char *keytypes[] = { "EC", NULL };
957
958 return keytypes;
959 }
960
961 static const OSSL_PARAM settable_sigalg_ctx_params[] = {
962 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, NULL, 0),
963 ECDSA_COMMON_SETTABLE_CTX_PARAMS
964 };
965
966 static const OSSL_PARAM *ecdsa_sigalg_settable_ctx_params(void *vctx,
967 ossl_unused void *provctx)
968 {
969 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
970
971 if (ctx != NULL && ctx->operation == EVP_PKEY_OP_VERIFYMSG)
972 return settable_sigalg_ctx_params;
973 return NULL;
974 }
975
976 static int ecdsa_sigalg_set_ctx_params(void *vctx, const OSSL_PARAM params[])
977 {
978 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
979 const OSSL_PARAM *p;
980 int ret;
981
982 if (ctx == NULL)
983 return 0;
984 if (ossl_param_is_empty(params))
985 return 1;
986
987 if ((ret = ecdsa_common_set_ctx_params(ctx, params)) <= 0)
988 return ret;
989
990 if (ctx->operation == EVP_PKEY_OP_VERIFYMSG) {
991 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_SIGNATURE);
992 if (p != NULL) {
993 OPENSSL_free(ctx->sig);
994 ctx->sig = NULL;
995 ctx->siglen = 0;
996 if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->sig,
997 0, &ctx->siglen))
998 return 0;
999 }
1000 }
1001 return 1;
1002 }
1003
1004 #define IMPL_ECDSA_SIGALG(md, MD) \
1005 static OSSL_FUNC_signature_sign_init_fn ecdsa_##md##_sign_init; \
1006 static OSSL_FUNC_signature_sign_message_init_fn \
1007 ecdsa_##md##_sign_message_init; \
1008 static OSSL_FUNC_signature_verify_init_fn ecdsa_##md##_verify_init; \
1009 static OSSL_FUNC_signature_verify_message_init_fn \
1010 ecdsa_##md##_verify_message_init; \
1011 \
1012 static int \
1013 ecdsa_##md##_sign_init(void *vctx, void *vec, \
1014 const OSSL_PARAM params[]) \
1015 { \
1016 static const char desc[] = "ECDSA-" #MD " Sign Init"; \
1017 \
1018 return ecdsa_sigalg_signverify_init(vctx, vec, \
1019 ecdsa_sigalg_set_ctx_params, \
1020 params, #MD, \
1021 EVP_PKEY_OP_SIGN, \
1022 desc); \
1023 } \
1024 \
1025 static int \
1026 ecdsa_##md##_sign_message_init(void *vctx, void *vec, \
1027 const OSSL_PARAM params[]) \
1028 { \
1029 static const char desc[] = "ECDSA-" #MD " Sign Message Init"; \
1030 \
1031 return ecdsa_sigalg_signverify_init(vctx, vec, \
1032 ecdsa_sigalg_set_ctx_params, \
1033 params, #MD, \
1034 EVP_PKEY_OP_SIGNMSG, \
1035 desc); \
1036 } \
1037 \
1038 static int \
1039 ecdsa_##md##_verify_init(void *vctx, void *vec, \
1040 const OSSL_PARAM params[]) \
1041 { \
1042 static const char desc[] = "ECDSA-" #MD " Verify Init"; \
1043 \
1044 return ecdsa_sigalg_signverify_init(vctx, vec, \
1045 ecdsa_sigalg_set_ctx_params, \
1046 params, #MD, \
1047 EVP_PKEY_OP_VERIFY, \
1048 desc); \
1049 } \
1050 \
1051 static int \
1052 ecdsa_##md##_verify_message_init(void *vctx, void *vec, \
1053 const OSSL_PARAM params[]) \
1054 { \
1055 static const char desc[] = "ECDSA-" #MD " Verify Message Init"; \
1056 \
1057 return ecdsa_sigalg_signverify_init(vctx, vec, \
1058 ecdsa_sigalg_set_ctx_params, \
1059 params, #MD, \
1060 EVP_PKEY_OP_VERIFYMSG, \
1061 desc); \
1062 } \
1063 \
1064 const OSSL_DISPATCH ossl_ecdsa_##md##_signature_functions[] = { \
1065 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx }, \
1066 { OSSL_FUNC_SIGNATURE_SIGN_INIT, \
1067 (void (*)(void))ecdsa_##md##_sign_init }, \
1068 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))ecdsa_sign }, \
1069 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT, \
1070 (void (*)(void))ecdsa_##md##_sign_message_init }, \
1071 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE, \
1072 (void (*)(void))ecdsa_signverify_message_update }, \
1073 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL, \
1074 (void (*)(void))ecdsa_sign_message_final }, \
1075 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, \
1076 (void (*)(void))ecdsa_##md##_verify_init }, \
1077 { OSSL_FUNC_SIGNATURE_VERIFY, \
1078 (void (*)(void))ecdsa_verify }, \
1079 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT, \
1080 (void (*)(void))ecdsa_##md##_verify_message_init }, \
1081 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE, \
1082 (void (*)(void))ecdsa_signverify_message_update }, \
1083 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL, \
1084 (void (*)(void))ecdsa_verify_message_final }, \
1085 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))ecdsa_freectx }, \
1086 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))ecdsa_dupctx }, \
1087 { OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES, \
1088 (void (*)(void))ecdsa_sigalg_query_key_types }, \
1089 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, \
1090 (void (*)(void))ecdsa_get_ctx_params }, \
1091 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, \
1092 (void (*)(void))ecdsa_gettable_ctx_params }, \
1093 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, \
1094 (void (*)(void))ecdsa_sigalg_set_ctx_params }, \
1095 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, \
1096 (void (*)(void))ecdsa_sigalg_settable_ctx_params }, \
1097 OSSL_DISPATCH_END \
1098 }
1099
1100 IMPL_ECDSA_SIGALG(sha1, SHA1);
1101 IMPL_ECDSA_SIGALG(sha224, SHA2-224);
1102 IMPL_ECDSA_SIGALG(sha256, SHA2-256);
1103 IMPL_ECDSA_SIGALG(sha384, SHA2-384);
1104 IMPL_ECDSA_SIGALG(sha512, SHA2-512);
1105 IMPL_ECDSA_SIGALG(sha3_224, SHA3-224);
1106 IMPL_ECDSA_SIGALG(sha3_256, SHA3-256);
1107 IMPL_ECDSA_SIGALG(sha3_384, SHA3-384);
1108 IMPL_ECDSA_SIGALG(sha3_512, SHA3-512);
1109